This is a Perl-coded script designed to backup eDirectory on Linux or Solaris. eDirectory 8.7.x, 8.8, and 9.0 along with NICI 2.6.x, 2.7, and 3.0 currently work and are tested on Linux and, where possible, Solaris. To run the script save it to a box with eDirectory on it and make the script executable. The script will automatically run with Perl when it is run directly. Perl comes, by default, on all Unix and Linux distributions. The script will run anywhere Perl is though it is not made to do anything properly on other platforms.

Update: 2015 June 2015 – Added support for eDirectory 9.0

Update: 2012 Mar 22 – Fixes a couple of potential issues that have come up over the past couple years.

Update: 2007 Mar 03 – Now backs up vardir instead of dibdir only. For 8.8 it also backs up dibdir if it is not contained in vardir for large distributed-filesystem environments.

The script has a few options that can be passed in for scriptability without prompts. The info from -h follows:


./ -h #Show help information. This info here.
./ -p /tmp/backup/path/goes/here
./ -c /etc/nds/conf/file/nds.conf[,/etc/other/conf/file/nds.conf]
./ -d /etc/opt/novell/eDirectory/conf/.edir/
./ -s #Force through the reminders that are defaults.

-h                     #Show help information. This info here.
-p /tmp/backup/path/goes/here
-c /etc/nds/conf/file/nds.conf[,/etc/other/conf/file/nds.conf]
-d /etc/opt/novell/eDirectory/conf/.edir/
-s             #Force through the reminders that are defaults.
-n             #Prevent restart of eDirectory after backup.

The -p option lets you specify where to put the destination TAR (Tape ARchive) files. This defaults to /root for security reasons. On Solaris you will want to create and secure this directory if it does not exist by default.

The -c option specifies a configuration (nds.conf) file specifically. This is useful for eDirectory 8.8 where multiple instances exist and need to be backed up in a scripted fashion (weekly backups of the entire DIB, for example).

The -d option specifies the directory where multiple configuration files exist. By default this is the /etc/opt/novell/eDirectory/conf/.edir/ directory. Having this configurable allows the script to be used for non-root installations of eDirectory. Non-root installations are installed all to one location, like a user’s home directory.

The -s option skips through the first prompt telling the user that the DS instance that is backed up will be shutdown for the backup to be properly taken. Use this whenever the script is called from other scripts where interactivity is not an option. It can also be used to prevent one more check that may be annoying.

The -n option will cause the eDirectory instance to remain turned off after the backup.  The biggest use for this option is helping customers perform an upgrade via migration to a new box, for example building a new system with latest patches, installing eDirectory, giving the new box the same hostname and IP as the old box, then on the old box stopping eDirectory, getting the conf/DIB/NICI information, and moving it to the new box which takes over the identity.  In OES terms this would be an ID Transfer, but that does not exist officially in eDirectory-land.  Still, this process works very well, and is very useful for IDM migrations in particular because all of the driver information remain the same and is present in the DIB, plus this provides minimal downtime for a full system upgrade of any eDirectory host.  Without using this option in this case, though, “helpfully” restarts eDirectory after the backup, which is exactly what you do not want.

To run this script with eDirectory 8.8 be sure you have run the ndspath command. Without this the script will fail because it cannot find ndsmanage. This goes for eDirectory installed as root or non-root. As long as ndsmanage can be called without the absolute path the script will work.

The script has many lines of comments at the beginning regarding the scripts operation. Read these before using the script. Also you should try this out on your own and understand how things work before making this backup your DS nightly. Failing to do so could leave your DS stopped when it should have been restarted. The script performs no checks for adequate space and each backup is made to a new file so running this regularly will, eventually, fill your hard drive.

At the end of each run of the script a return value is sent back to the prompt for interpretation. A 0 means there were no fatal errors, a 1 means there was a fatal error. As other commands are made by the script the return values of those calls is included in the log which is output to the screen (via STDERR). That can be redirected to /dev/null (./ -s 2>/dev/null) or it can be saved to a file for further analysis and interpretation (mail it to yourself, for example). The logging is fairly extensive and very helpful for troubleshooting.

The ability to backup other *nix’s may come as I am able to find and test them (AIX is probably next). Comments/critiques/questions appreciated. The source is highly-commented and that is for the good of us all.

2 votes, average: 5.00 out of 52 votes, average: 5.00 out of 52 votes, average: 5.00 out of 52 votes, average: 5.00 out of 52 votes, average: 5.00 out of 5 (2 votes, average: 5.00 out of 5)
You need to be a registered member to rate this post.

Disclaimer: As with everything else at NetIQ Cool Solutions, this content is definitely not supported by NetIQ, so Customer Support will not be able to help you if it has any adverse effect on your environment.  It just worked for at least one person, and perhaps it will be useful for you too.  Be sure to test in a non-production environment.

Leave a Reply


  • aburgemeister says:

    A customer noted that extracting the ndsrc-generated archive threw a nastygram when they used tar to extract as shown below:

    # tar -xvf test-12\:34\:56.tar
    test-12: Unknown host
    tar: test-12\:34\:56.tar: Cannot open: Input/output error
    tar: Error is not recoverable: exiting now
    2011-09-12 09:59:00 Jobs:0 Err:2

    The tar command has become smart over time and now appears to know how to chat on the network; as a result if it does not know you are explicitly pointing to a file and it sees a colon (:) in the file name it tries to find something on the network. The default filename created by includes colons to show the time of the backup taken for both eDir and NICI and so if you try to use tar as shown above to extract the archive it will fail (for versions of tar that understand colons may be delimiters for hosts). The workaround for this is to just add a dot-slash before the file:

    # tar -xvf ./test-12\:34\:56.tar

    This tells ‘tar’ that this is a file where you are…. an absolute path should work as well of course… and therefore tar doesn’t try to do anything network-related.

  • gordon_mzano says:

    Just curious…Why would one use ndsrc when there is dsbk (TID 3295479)?

    #! /bin/sh
    # Clean up old backups…
    find /root/backup-edir/cron -type f -ctime +15 -exec rm {} \;
    dsbk backup -b -f $BACKUPFOLDER/edirbak-`date +%Y-%m-%d`.bak -l $BACKUPFOLDER/edirbk-`date +%Y-%m-%d`.log -t -w

    # Email admin edir backup reports
    # Allow enough time for the edir backup to finish processing.
    echo “” >> /root/backup-edir/cron/edirbak-`date +%Y-%m-%d`.log
    ls -lh /root/backup-edir/cron >> /root/backup-edir/cron/edirbak-`date +%Y-%m-%d`.log
    mail -s NDS BACKUP REPORT -a /root/backup-edir/cron/edirbak-`date +%Y-%m-%d`.log </dev/null

    • ab says:

      Good question. I’d definitely recommend using dsbk for anything requiring support, and for any situation where it is likely that you’ll actually be bringing a single server back into a tree with many other replicas-holders. The reason is that dsbk is the ONLY way to properly do this, assuming you do it properly (which is a big assumption), and properly merge in a server such that its copy of data is consistent with all other servers in the tree. If, for example, you do not handle your Roll-Forward Log (RFL) files correctly, restoring with dsbk may not work fully. Back when dsbk was just embox this also required Role Based Services (RBS) to be properly setup in iManager, which was quite painful. There were also bugs with dsbk for a long time which, while not complaining about problems, failed to backup NICI, so restores without NICI were missing things that were encrypted with NICI. It’s all fixed now, but is older than those kinds of issues.

      The script is meant to just grab the DIB and NICI with as few assumptions as possible; the one notable exception to that assumptions rule is: “You know how to restore it and the risks in doing so if there are other servers in the to-be-restored tree.” No need for RFL configuration, having any kind of access to any working eDirectory commands, or much of anything. Just grab the DIB, exactly as it is, maintaining directory structures everywhere, so have a perfect DIB backup for whenever you need it. i.e. be very much like ‘dsrepair -rc’ on NetWare.

    • SvenRogge says:

      Cause ndsrc method worked for me for backing up edirectory on RHEL 5.8 and restoring it on SLES 11 SP 3 and dsbk backup restore does not work as errors like Loader Failed:for /dxevent, error are thrown. Also the edirectory instance is not listening on the ports any more after restarting ndsd after the dsbk restore.

      Thanks for the perl script. It saved me a lot of headache.

      • ab says:

        Thanks for the feedback. I’m glad to hear it worked for you, and if you have any other thoughts on it let me know. The current version should work with eDirectory 9.0 once it is out, too, at least based on beta testing.

By: ab
Mar 22, 2012
10:15 am
Active Directory Authentication Automation Cloud Computing Cloud Security Configuration Customizing Data Breach DirXML Drivers End User Management Identity Manager Importing-Exporting / ICE/ LDIF Intelligent Workload Management IT Security Knowledge Depot LDAP Monitoring Open Enterprise Server Passwords Reporting Secure Access Supported Troubleshooting Workflow